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AMENDMENT(S) TO THE CLAIMS: 

The following listing of claims will replace all prior versions, and listings, of claims on the 
application. All claims are set forth below with one of the following annotations. 

• (Original): Claim filed with the application following the specification. 

• (Currently amended): Claim being amended in the current amendment paper. 

• (Cancelled): Claim cancelled or deleted from the application. 

• (Withdrawn): Claim still in the application, but in a non-elected status. 

• (New): Claim being added in the current amendment paper. 

• (Previously presented): Claim not being currently amended, but which was 
amended or was new in a previous amendment paper. 

• (Not entered): Claim presented in a previous amendment, but not entered or whose 
entry status unknown. No claim text is shown. 

I. -IO. (Cancelled). 

II. (Original) A method of examining packets passing through a connection point on a 
computer network, each packets conforming to one or more protocols, the method 
comprising: 

(a) receiving a packet from a packet acquisition device; 

(b) performing one or more parsing/extraction operations on the packet to 
create a parser record comprising a function of selected portions of the packet; 

(c) looking up a flow-entry database comprising none or more flow-entries for 
previously encountered conversational flows, the looking up using at least 
some of the selected packet portions and determining if the packet is of an 
existing flow; 

(d) if the packet is of an existing flow, classifying the packet as belonging to the 
found existing flow; and 

(e) if the packet is of a new flow, storing a new flow-entry for the new flow in 
the flow-entry database, including identifying information for future packets to 
be identified with the new flow-entry, 

wherein the parsing/extraction operations depend on one or more of the protocols to 
which the packet conforms. 

12. (Original) A method according to claim 11, wherein each packet passing through' 
the connection point is examined in real time. 
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13 (Original) A method according to claim 1 1 , wherein classifying the packet as 
belonging to the found existing flow includes updating the flow-entry of the existing 
flow. 

14. (Original) A method according to claim 13, wherein updating includes storing one 
or more statistical measures stored in the flow-entry of the existing flow. 

15 (Original) A method according to claim 14, wherein the one or more statistical 

' measures include measures selected from the set consisting of the total packet count 
for the flow, the time, and a differential time from the last entered time to the present 
time. 

16 (Original) A method according to claim 1 1 , wherein the function of the selected 
portions of the packet forms a signature that includes the selected packet portions and 
that can identify future packers, wherein the lookup operation uses the signature and 
wherein the identifying information stored in the new or updated flow-entry is a 
signature for identifying future packets. 

17 (Original) A method according to claim 1 1 , wherein at least one of the protocols of 
' the packet uses source and destination addresses, and wherein the selected portions of 

the packet include the source and destination addresses. 

18 (Original) A method according to claim 17, wherein the function of the selected 
portions for packets of the same flow is consistent independent of the direction of the 
packets. 

19 (Original) A method according to claim 1 8, wherein the source and destination 

" addresses are placed in an order determined by the order of numerical values of the 
addresses in the function of selected portions. 

20 (Original) A method according to claim 19, wherein the numerically lower address 
is placed before the numerically higher address in the fiinction of selected portions. 

21. (Original) A method according to claim 11, wherein the looking up of the flow- 
entry database uses a hash of the selected packet portions. 

22 (Original) A method according to claim 11, wherein the parsing/extraction 

' operations are according to a database of parsing/extraction operations that includes 
information describing how to determine a set of one or more protocol dependent 
extraction operations from data in the packet that indicate a protocol used in the 
packet. 

23 (Original) A method according to claim 1 1 , wherein step (d) includes if the packet 
is of an existing flow, obtaining the last encountered state of the flow and performing 
any state operations specified for the state of the flow starting from the last 
encountered state of the flow; and wherein step (e) includes if the packet is of a new 
flow, performing any state operations required for the initial state of the new flow. 
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24 (Original) A method according to claim 23, wherein the state processing of each 

■ received packet of a flow furthers the identifying of the application program of the 
flow. 

25 (Original) A method according to claim 23, wherein the state operations include 
updating the flow-entry, including storing identifying information for future packets to 
be identified with the flow-entry. 

26 (Original) A method according to claim 25. wherein the state processing of each 

■ received packet of a flow furthers the identifying of the application program of the 
flow. 

27 (Original) A method according to claim 23, wherein the state operations include 

■ searching the parser record for the existence of one or more reference strings. 

28 (Original) A method according to claim 23, wherein the state operations are carried 
out by f programmable state processor according to a database of protocol dependent 
State operations. 

29 (Original) A packet monitor for examining packets passing through a connection 
point on a computer network, each packets conforming to one or more protocols, the 
monitor comprising: 

(a) a packet acquisition device coupled to the connection point and configured 
to receive packets passing through the connection point; 

(b) an input buffer memory coupled to and configured to accept a packet fi:om 
the packet acquisition device; 

(c) a parser subsystem coupled to the input buffer memory and including a 
sheer the parsing subsystem configured to extract selected portions of the 
accepted packet and to output a parser record containing the selected portions; 

(d) a memory for storing a database comprising none or more flow-entries for 
previously encountered conversational flows, each flow-entry identified by 
identifying information stored in the flow-entry; 

(e) a lookup engine coupled to the output of the parser subsystem and to the 
flow-entry memory and configured to lookup whether the particular packet 
whose parser record is output by the parser subsystem has a matchmg flow- 
entry, the looking up using at least some of the selected packet portions and 
determining if the packet is of an existing flow; and 

(f) a flow insertion engine coupled to the flow-entry memory and to the lookup 
engine and configured to create a flow-entry in the flow-entry database, the 
flow-entry including identifying information for future packets to be identified 
with the new flow-entry, 
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the lookup engine configured such that if the packet is of an existing flow, the monitor 
classifies the packet as belonging to the found existing flow; and if the packet is of a 
new flow, the flow insertion engine stores a new flow-entry for the new flow in the 
flow-entry database, including identifying information for future packets to be 
identified with the new flow-entry, 

wherein the operation of the parser subsystem depends on one or more of the protocols 
to which the packet conforms. 

30 (Original) A monitor according to claim 29, wherein each packet passing through 

■ the connection point is accepted by the packet buffer memory and examined by the 
monitor in real time. 

31 (Original) A monitor according to claim 29, wherein the lookup engine updates the 
" flow-entry of an existing flow in the case that the lookup is successful. 

32 (Original) A monitor according to claim 29. further including a mechanism for 

■ building a hash from the selected portions, wherein the hash is included in the input 
for a piticular packet to the lookup engine, and wherein the hash is used by the 
lookup engine to search the flow-entry database. 

33 (Original) A monitor according to claim 29, further including a menaory containing 

■ a database of parsing/extraction operations, the parsing/extraction database memory 
coupled to the parser subsystem, wherein the parsing/extraction operations are 
according to one or more parsing/extraction operations looked up from the 
parsing/extraction database. 

34 (Original) A monitor according to claim 33. wherein the database of 

■ parsinJextraction operations includes information describing how to determine a set 
of one or more protocol dependent extraction operations from data m the packet that 
indicate a protocol used in the packet. 

35 (Original) A monitor according to claim 29, further including a flow-key-buffer 

■ (UFKB) coupled to the output of the parser subsystem and to the lookup engine and to 
the flow insertion engine, wherein the output of the parser monitor is coupled ^o the 
lookup engine via the UFKB, and wherein the flow insertion engine is coupled to the 
lookup engine via the UFKB. 

36 (Original) A method according to claim 29, further including a state processor 

■ coupled to the lookup engine and to the flow-entry-database memory, and configured 
to perform any state operations specified for the state of the flow starting from the last 
encountered state of the flow in the case that the packet is from an existing flow and 
to per?o^ any state operations required for the initial state of the new flow m the case 
that the packet is from an existing flow. 

37 (Original) A method according to claim 29, wherein the set of possible state 

■ operations that the state processor is configured to perform includes searching for one 
or more patterns in the packet portions. 



Ref./Docket: APPT-001-1-1 Page 6 

38. (Original) A monitor according to claim 36, wherein the state processor is 
programmable, the monitor further including a state patterns/operations memory 
coupled to the state processor, the state operations memory configured to store a 
database of protocol dependent state patterns/operations. 

39. (Original) A monitor according to claim 35, further including a state processor 
coupled to the UFKB and to the flow-entry-database memory, and configured to 
perform any state operations specified for the state of the flow starting from the last 
encountered state of the flow in the case that the packet is from an existing flow, and 
to perform any state operations required for the initial state of the new flow in the case 
that the packet is from an existing flow. 

40. (Original) A monitor according to claim 36, wherein the state operations include 
updating the flow-entry, including identifying information for future packets to be 
identified with the flow-entry. 

4 1 . (Original) A packet monitor according to claim 29, further comprising: 

a compiler processor coupled to the parsing/extraction operations memory, 
the compiler processor configured to run a compilation process that includes: 

receiving commands in a high-level protocol description language 
that describe the protocols that may be used in packets encountered by 
the monitor and any children protocols thereof, and 

translating the protocol description language commands into a 
plurality of parsing/extraction operations that are initialized into the 
parsing/extraction operations memory. 

42. (Original) A packet monitor according to claim 38, further comprising: 

a compiler processor coupled to the parsing/extraction operations memory, 
the compiler processor configured to run a compilation process that includes: 

receiving commands in a high-level protocol description language 
that describe a correspondence between a set of one or more application 
programs and the state transition patterns/operations that occur as a 
result of particular conversational flow-sequences associated with an 
application programs, and 

translating the protocol description language commands into a 
plurality of state patterns and state operations that are initialized into 
the state patterns/operations memory. 

43. (Original) A packet monitor according to claim 29, further comprising: 

a cache subsystem coupled to and between the lookup engine and the flow-entry 
database memory providing for fast access of a set of likely-to-be-accessed flow- 
entries from the flow-entry database. 
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44. (Original) A packet monitor according to claim 43, wherein the cache subsystem is 
an associative cache subsystem including one or more content addressable memory 
cells (CAMS). 

45. (Original) A packet monitor according to claim 44, wherein the cache subsystem is 
also a least-recently-used cache memory such that a cache miss updates the least 
recently used cache entry. 

46. (Original) A packet monitor according to claim 29, wherein each flow-entry stores 
one or more statistical measures about the flow, the monitor further comprising 

a calculator for updating at least one of the statistical measures in the flow-entry of 
the accepted packet. 

47. (Original) A packet monitor according to claim 46, wherein the one or more 
statistical measures include measures selected from the set consisting of the total 
packet count for the flow, the time, and a differential time from the last entered time to 
the present time. 

48. (Original) A packet monitor according to claim 46, further including a statistical 
processor configured to determine one or more network usage metrics related to the 
flow from one or more of the statistical measures in a flow-entry. 

49. (Original) A monitor according to claim 29, wherein: 

flow-entry-database is organized into a plurality of bins that each contain N-number 
of flow-entries, and wherein said bins are accessed via a hash data value created by a 
parser subsystem based on the selected packet portions, wherein N is one or more. 

50. (Original) A monitor according to claim 49, wherein the hash data value is used to 
spread a plurality of flow-entries across the flow-entry-database and allows fast lookup 
of a flow-entry and shallower buckets. 

51. (Original) A monitor according to claim 36, wherein the state processor analyzes 
both new and existing flows in order to classify them by application and proceeds 
from state-to-state based on a set of predefined rules. 

52. (Original) A monitor according to claim 29, wherein the lookup engine begins 
processing as soon as a parser record arrives from the parser subsystem. 

53. (Original) A monitor according to claim 36, wherein the lookup engine provides for 
flow state entry checking to see if a flow key should be sent to the state processor, and 
that outputs a protocol identifier for the flow. 

54. (Original) A method of examining packets passing through a connection point on a 
computer network, the method comprising: 

(a) receiving a packet from a packet acquisition device; 
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(b) performing one or more parsing/extraction operations on the packet 
according to a database of parsing/extraction operations to create a parser 
record comprising a function of selected portions of the packet, the database of 
parsing/extraction operations including information on how to determine a set 
of one or more protocol dependent extraction operations from data in the 
packet that indicate a protocol is used in the packet; 

(c) looking up a flow-entry database comprising none or more flow-entries for 
previously encountered conversational flows, the looking up using at least 
some of the selected packet portions, and determining if the packet is of an 
existing flow; 

(d) if the packet is of an existing flow, obtaining the last encountered state of 
the flow and performing any state operations specified for the state of the flow 
starting from the last encountered state of the flow; and 

(e) if the packet is of a new flow, performing any analysis required for the 
initial state of the new flow and storing a new flow-entry for the new flow in 
the flow-entry database, including identifying information for future packets to 
be identified with the new flow-entry. 

55. (Original) A method according to claim 54, wherein one of the state operations 
specified for at least one of the states includes updating the flow-entry, including 
identifying information for future packets to be identified with the flow-entry. 

56. (Original) A method according to claim 54, wherein one of the state operations 
specified for at least one of the states includes searching the contents of the packet for 
at least one reference string. 

57. (Original) A method according to claim 55, wherein one of the state operations 
specified for at least one of the states includes creating a new flow -entry for future 
packets to be identified with the flow, the new flow-entry including identifying 
information for future packets to be identified with the flow-entry. 

58. (Original) A method according to claim 54, further comprising forming a signature 
from the selected packet portions, wherein the lookup operation uses the signature and 
wherein the identifying information stored in the new or updated flow-entry is a 
signature for identifying future packets. 

59. (Original) A method according to claim 54, wherein the state operations are 
according to a database of protocol dependent state operations. 



